Harvard University Information Security | HARVARD.EDU

Level 4

Configure firewall for allowed administration

The firewall must be configured to only permit administrative access from the specific systems used by the administrators for the specific service.

Configure firewall to permit required traffic

The firewall must be configured to only permit inbound traffic that is required for the proper operation of the server.

Implement firewall between server and network

There must be a firewall between the server and any network which includes user computers. This can be a host-based firewall.

Force re-authentication with locking screensaver

Force re-authentication with a locking screen saver on client machine.

Block excessive logins

Block user from logging in for a period of time after no more than 10 successive invalid login attempts.

Permit only competent operation of servers

It is important that anyone who performs administrative responsibilities on these systems have sufficient technical knowledge, via experience and/or training, to be able to implement these requirements and recognize when they need to seek help.

Servers must meet the most stringent requirement

Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification. If you aren't able to identify whether or not a server may have HRCI, apply the level 4 controls.

File sharing and collaboration services

Consult the Collaboration Tools Matrix as well as the Data Classification Level guides for Administrative Data and...

No Level 4 On Devices

Work from materials stored on approved servers or services and do not copy them to your local system. If you are conducting field research to collect Level 4 data and cannot meet this requirement send an email to ithelp@harvard.edu to request an information security consultation for Harvard-approved external encrypted portable storage media and process.

Secure locations

SC8: Servers must be kept in secure locations and properly inventoried, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

User access

SC7: User access to level 4 information on servers must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Access logs

SC6: Logs of user and administrator access to servers and applications must be securely maintained on a remote computer, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Permitted access

SC5: The business application owner for applications dealing with Level 4 information must designate which employees have permission to access level 4 information about others from outside the Harvard wired or other Harvard strongly authenticated and encrypted wireless network.

Outbound traffic

SC4: Outbound traffic from servers must be limited to that required to properly operate the service, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Server vulnerability

SC3: Server operators must take reasonable actions on a regular basis to ensure that their systems are not vulnerable to attack, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Information Security Policy

Harvard University